The CMA virtual asset regulations:
what the UAE's federal-level virtual asset framework means in practice.

The UAE's virtual-asset regulatory landscape is not one regime but three overlapping ones. The Dubai Virtual Assets Regulatory Authority covers virtual-asset activities in or from the Emirate of Dubai (excluding DIFC). The FSRA covers virtual-asset activities in Abu Dhabi Global Market. The CMA (Securities and Commodities Authority) covers virtual-asset activities at the federal UAE level — which in practice means activities in or from the UAE mainland that fall outside the Dubai and ADGM perimeters, and certain federal-level interactions across all jurisdictions.

Operators frequently focus exclusively on VARA (the most prominent regime) or on ADGM (the most established free zone for virtual-asset funds), and miss the CMA dimension. That is a structuring error.

What the CMA's virtual asset framework actually covers.

The CMA framework captures the following categories of virtual-asset activity at the federal level:

• Issuance of virtual assets that are securities or commodities — tokens that exhibit the characteristics of securities (equity, debt, profit-sharing) or commodity tokens, where the issuance is in or from the UAE mainland.
• Public offering of virtual-asset products to UAE retail investors outside the DIFC and ADGM perimeters.
• Investment funds and collective investment schemes that invest in virtual assets and are offered to UAE mainland investors.
• Securities-token offerings regardless of the underlying technology — the test is the substance of the right being offered, not the form of the instrument.
• Capital markets intermediation for tokenised securities and asset-backed token offerings.
• Federal-level coordination with VARA, FSRA, the Central Bank, and other UAE regulators on cross-perimeter issues.

The substance test: when a token is a security under CMA principles.

The CMA does not assess virtual assets by their label. The test is whether the token exhibits the economic substance of a security or other regulated financial instrument. The factors:

• Profit-sharing or yield rights — tokens that entitle holders to a share of issuer revenues, profits, or staking rewards beyond a pure utility-fee model.
• Equity-like rights — ownership, voting, claims on residual value, governance rights with economic consequence.
• Debt-like characteristics — promise of capital return, fixed yield, redemption rights.
• Investment-of-money expectation of profit from managerial efforts — the standard 'Howey-style' analysis applied through a UAE lens.
• Asset-backing — tokens representing fractional interests in real-world assets (real estate, commodities, private credit, alternative investments).

Tokens passing one or more of these tests are likely securities under CMA principles and require federal-level licensing or appropriate exemption to be offered in or from the UAE mainland.

How CMA, VARA and FSRA fit together.

The boundaries can overlap. A token offering that is both a security (CMA) and the underlying asset of a virtual-asset exchange (VARA) involves both regulators. The operator's choice of structure determines which becomes the primary engagement.

The most common mistake we see in mainland UAE virtual-asset structuring is teams that have completed VARA or ADGM licensing assuming that covers their entire UAE operation. It does not. Mainland-facing securitised offerings sit with the CMA and need their own regulatory pathway.

The CMA pathway: what's involved.

For an issuer or operator whose activity falls within the CMA perimeter, the pathway typically involves:

1. Scope confirmation — written analysis of whether the proposed activity falls within CMA jurisdiction, with consideration of any available exemption pathway (private placement, professional-investor-only offering, sandbox).
2. Pre-application engagement — informal regulator engagement to align on scope, classification, and process before formal submission.
3. Application preparation — regulatory business plan, governance framework, AML/CFT compliance, technology controls, custody arrangements for any underlying asset, investor-disclosure documentation.
4. Formal submission and assessment — including substantive review of the offering structure, the investor protections, and the issuer's fit-and-properness.
5. Approval, conditions and ongoing supervision — including reporting obligations, marketing restrictions, and any specific conditions attached to the authorisation.

The marketing dimension across all three regimes.

An operator marketing a virtual-asset product to UAE-resident investors must navigate the marketing rules of every applicable regulator. VARA's Marketing Regulations 2024 (Dubai), FSRA's marketing framework (ADGM), and the CMA's mainland-investor offering rules each impose their own requirements — including who may market, what disclosures must accompany the marketing, and what penalties apply for breach. A mainland-issued token that is marketed to Dubai users without VARA authorisation is exposed under VARA's marketing regulations regardless of whether the issuance itself is properly CMA-authorised.

What this means for cross-perimeter operators.

For operators that span multiple parts of the UAE:

• Map every revenue stream against every regulator — identify which activities sit with VARA, FSRA, CMA and CBUAE, and where the boundaries lie.
• Don't assume one licence covers everything — a VARA licence for spot exchange does not cover a securitised token offering to UAE mainland investors.
• Plan the regulator-engagement sequence — some regulators want to see other regulators' approvals before issuing their own; others want to engage in parallel.
• Manage the marketing perimeter carefully — even unintended marketing to a UAE jurisdiction outside the operator's licensed perimeter triggers exposure.

Conclusion.

The CMA virtual-asset framework is the federal layer most virtual-asset operators overlook — and the layer that, increasingly, catches mainland-facing securitised offerings, fund products, and tokenised real-world assets. Operators serious about a long-term UAE position need to map their activity against all four regulators (CMA, VARA, FSRA, CBUAE) and build the licensing architecture accordingly. Neo Legal advises virtual-asset operators across the full UAE regulatory landscape and coordinates engagement with each relevant regulator as a single integrated workstream.